ShellShock – Highlights

Wednesday, 24 of September, Florian Weimer from Red Hat security team publicly announced on Open Source Security Maillng list a vulnerability in GNU Bash discovered by Stephane Chazelas. 1 hour later he released a patch and the technical details about the vulnerability – “an environment variable with an arbitrary name can be used as a carrier for a malicious function definition containing trailing commands makes this vulnerability particularly severe; it enables network-based exploitation“. Essentially a command injection vulnerability that allows remote code execution. Meanwhile some news sites were already publishing details. This situation was not altogether confortable when it was known that details were disclosed before the embargo that was putted together in order to give vendors to patch it before it went public. This vulnerability got CVE-2014-6271 with a CVSS score of 10 and low score on complexity which means its easy to exploit. It affected all Bash versions prior to 4.3. The vectors of attack as described by the US-CERT include:

Apache HTTP Server using mod_cgi or mod_cgid scripts either written in bash, or spawn GNU Bash subshells, or on any system where the /bin/sh interface is implemented using GNU Bash.

Override or Bypass ForceCommand feature in OpenSSH sshd and limited protection for some Git and Subversion deployments used to restrict shells and allows arbitrary command execution capabilities. This data path is vulnerable on systems where the /bin/sh interface is implemented using GNU Bash.

From the previous described attack vectors the HTTP requests to CGI scripts were identified as the major concern. While the news were still spreading, on the 25th of September when people were rushing to patch, Tavis Ormady proved that the patch was incomplete and the vulnerability was still exploitable. This got identified as CVE-2014-7169 with a CVSS score of 10. This got patched on Friday the 26th. Meanwhile another two vulnerabilities were discovered by Todd Sabin. Harder to pull off but still critical. They got CVE-2014-7186 and CVE-2014-7187. in the meantime Michal Zaleski who is another brilliant security researcher and works with Tavis on Google security team found two additional vulnerabilites. He gave the details privatelly in order to give time to patch. On 1st of October, Michal disclosed the details. These last two vvulnerabilities got CVE-2014-6277 and CVE-2014-6278. The last patchs from the vendors mitigate all the 6 vulnerabilities. Below is a timeline of the key dates during this rush week.

During the rush hours of the disclosure, Robert Graham from Errata Security started to massivelly scan the internet looking for vulnerable hosts. The results were impressive. Troy Hunt also wrote a nice summary about it. While security researchers, vendors and corporations were working together to assess and mitigate the risk of this vulnerability Evil started to show is fingers. Attacks started attempting to exploit the vulnerability. Rapid7 weaponized the exploit into Metasploit. Due to the wide amount of attacks seen SANS raised its INFOCON level to Yellow on the 26th. Johannes Ulrich wrote a great summary about it. Among the exploitation techniques seen were automated click fraud, reverse shell attempts, all kinds of recon activity, PERL bots and others. Trend Micro released a comprehensive.technical report. FireEye wrote a great summary on the exploit techniques seen in the wild.